Cryptographic devices and methods for generating and verifying commitments from linearly homomorphic signatures

ABSTRACT

A processor of a device generates a cryptographic commitment by receiving a vector {right arrow over (m)}, a public verification key of a homomorphic signature scheme, and a tag; choosing a signature σ in the signature space; generating a commitment c by running the verification algorithm of the homomorphic signature scheme; and outputting the commitment c as intermediate values resulting from the verification algorithm.

TECHNICAL FIELD

The present invention relates generally to cryptography, and in particular to non-malleable commitments from linearly homomorphic signatures.

BACKGROUND

This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.

A so-called commitment scheme can be said to be the digital equivalent of a sealed envelope: whatever is in the envelope remains secret until the envelope is opened. At the same time, the sender cannot change his mind about the content once the envelope has been closed. The goal of the commitment scheme is thus to force a sender to define a message that cannot be changed until it is revealed at some time in the future.

Commitment schemes can be non-interactive, which means that the so-called commitment phase and the opening phase both consist of a single message from the sender to the receiver. Put another way, the receiver does not have to interact with the sender in any way other than to receive messages.

A trapdoor commitment is a perfectly hiding commitment (i.e. where the hiding property holds even against an unbounded adversary) for which a trapdoor tk makes it possible to break the binding property and open a commitment to an arbitrary value. However, this should remain infeasible without the trapdoor. As will be seen during the description of the invention, a trapdoor commitment uses two additional algorithms called FakeCom and FakeOpen.

In a simulation-sound trapdoor commitment (SSTC), each commitment is labeled with a tag. A definition is given in P. MacKenzie, K. Yang. On Simulation-Sound Trapdoor Commitments. In Eurocrypt'04, Lecture Notes in Computer Science, vol. 3027, pages 382-400, 2004. This definition requires that even if the adversary is allowed to see equivocations of commitments to possibly distinct messages for several tags tag₁, . . . , tag_(q), it will not be able to break the binding property for a new tag ∉ {tag₁, . . . , tag_(q)}.

Another desirable property of a commitment scheme is that an adversary cannot commit to messages that are correlated to those of honest players. The notion of independence with respect to opening captures that the messages to which the adversary can open its commitment should be independent of the way honest senders' commitments are opened. See G. Di Crescenzo, Y. Ishai, R. Ostrovsky. Non-Interactive and Non-Malleable Commitment. In STOC'98, pages 141-150, 1998. and R. Gennaro and S. Micali. Independent Zero-Knowledge Sets. In ICALP'06, Lecture Notes in Computer Science, vol. 4052, pages 34-45, 2006.

For the commitments, groups (

,

_(T)) of prime order p>2^(λ) are considered, where λ is a security parameter, over which the discrete logarithm problem is presumed hard. Moreover an efficiently computable bilinear map (a.k.a. pairing) is assumed; e:

×

→

_(T). Namely, for any g, h∈

and any a, b∈

, e(g^(a),h^(b))=e(g,h)^(ab). Moreover, e(g,h)≠

, if and only if g≠

and h≠

.

In these groups, it is possible to rely on the following hardness assumptions:

-   -   the Computational Diffie-Hellman Problem (CDH);     -   the Decision Linear Problem (DLIN)—see D. Boneh, X. Boyen, H.         Shacham. Short Group Signatures. In Crypto'04, Lecture Notes in         Computer Science, vol. 3152, pages 41-55, Springer, 2004; and     -   the Simultaneous Double Pairing problem (SDP). This assumption         is implied by the DLIN assumption in the group         —see M. Abe, K. Haralambiev, M. Ohkubo. Signing on Elements in         Bilinear Groups for Modular Protocol Design. Cryptology ePrint         Archive: Report 2010/133, 2010.

The prior art comprises several constructions of non-interactive non-malleable commitments that are not re-usable in that the adversary is only given one honestly generated commitment before outputting a commitment of its own. See for example:

-   -   G. Di Crescenzo, Y. Ishai, R. Ostrovsky. Non-Interactive and         Non-Malleable Commitment. In STOC'98, pp. 141-150, 1998.     -   U.S. Pat. No. 6,301,664 (G. Di Crescenzo, Y. Ishai, R.         Ostrovsky. Method and System for Non-Malleable and         Non-Interactive Cryptographic Commitment in a Network. 2001.)     -   G. Di Crescenzo, J. Katz, R. Ostrovsky, A. Smith. Efficient and         Non-interactive Non-malleable Commitment. In Eurocrypt'01,         Lecture Notes in Computer Science, vol. 2045, pp. 40-59, 2001.

The notion of re-usable non-malleable commitments was proposed by Damgård and Groth [I. Damgård, J. Groth. Non-interactive and reusable non-malleable commitment schemes. In STOC'03, pages 426-437, 2003.]. Re-usable non-malleable commitments can be constructed from simulation-sound trapdoor commitments [see J. Garay, P. MacKenzie, K. Yang. Strengthening Zero-Knowledge Protocols Using Signatures. In Eurocrypt'03, Lecture Notes in Computer Science, vol. 2656, pp. 177-194, 2003. and P. MacKenzie, K. Yang. On Simulation-Sound Trapdoor Commitments. In Eurocrypt'04, Lecture Notes in Computer Science, vol. 3027, pp. 382-400, 2004.] and multi-trapdoor commitments [R. Gennaro. Multi-Trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks. In Crypto'04, Lecture Notes in Computer Science, vol. 3152, pp. 220-236, 2004].

In their paper, MacKenzie and Yang gave constructions of SSTCs from signature schemes admitting efficient Σ protocols. As is known in the art, a Σ protocol is a three move interactive protocol between a prover and a verifier. In fact, as noted by Fujisaki [E. Fujisaki. New Constructions of Efficient Simulation-Sound Commitments Using Encryption and Their Applications. In CT-RSA'12, Lecture Notes in Computer Science, vol. 7178, pp. 136-155, 2012.], all known constructions of noninteractive simulation-sound or multi-trapdoor [see the paper by Gennaro] commitments build on signature schemes for which an efficient Σ protocol allows proving knowledge of a signature.

The idea is to commit to a message m by using m as the challenge of a Σ protocol for proving knowledge of a signature σ=Sig(sk, tag) on the tag. The commitment is given by the first message a of the Σ protocol transcript (a, m, z), which is obtained by simulating a proof of knowledge of a valid signature σ on the message tag. The commitment is subsequently opened by revealing z. By the special soundness of the Σ protocol, unless the sender actually knows a valid signature on tag, it can only open a given commitment a to one message m.

While simple, the above construction does not readily extend to commit to vectors if we want the sender to remain able to efficiently prove statements about individual coordinates of the committed vector. Moreover, the method based on Σ protocol does not make it possible to commit to vectors of group elements: to this end, we would need a Σ protocol where challenges are vectors of group elements. In the previously mentioned paper, Fujisaki gave an alternative construction of SSTC system based on encryption schemes. However, this construction is interactive as several rounds of interaction are needed between the sender and the receiver during the commitment phase.

Non-interactive commitments to group elements were described in for example:

-   -   J. Groth. Simulation-Sound NIZK Proofs for a Practical Language         and Constant Size Group Signatures. In Asiacrypt'06, Lecture         Notes in Computer Science, vol. 4284, pp. 444-459, Springer,         2006.     -   J. Groth, A. Sahai. Efficient non-interactive proof systems for         bilinear groups. In Eurocrypt'08, Lecture Notes in Computer         Science, vol. 4965, pp. 415-432, 2008.     -   J. Cathalo, B. Libert, M. Yung. Group Encryption:         Non-Interactive Realization in the Standard Model. In         Asiacrypt'09, Lecture Notes in Computer Science, vol. 5912, pp.         179-196, 2009.     -   J. Groth. Homomorphic trapdoor commitments to group elements.         Cryptology ePrint Archive: Report 2009/007, 2009.

However, these schemes are all homomorphic and thus malleable. To date, the only known non-interactive non-malleable commitment schemes whose messages and openings only consist of group elements were described by Fischlin et al. [see M. Fischlin, B. Libert, M. Manulis. Non-interactive and Re-usable Universally Composable String Commitments with Adaptive Security. In Asiacrypt'11, Lecture Notes in Computer Science, vol. 7073, pp. 468-485, 2011.]. However, these constructions cannot be length-reducing (i.e., the commitment cannot be shorter than the message) as they achieve universal composability [see R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In FOCS'01 pp. 136-145, 2001. and R. Canetti, M. Fischlin. Universally Composable Commitments. In Crypto'01, Lecture Notes in Computer Science, vol. 2139, pp. 19-40, 2001] and it is known that universally composable commitments must be extractable (namely, a trapdoor information should make it possible to recover the message contained in the commitment).

It will thus be appreciated that it is desired to have a commitment scheme that provides a modular construction of non-interactive non-malleable trapdoor commitment to vectors {right arrow over (m)}=(m₁, . . . , m_(n)) while retaining the ability of efficiently proving properties about individual vector coordinates {m_(i)}_(i=1) ^(n). This precludes the trivial solution consisting in committing to a hash value of the vector {right arrow over (m)}. It is also desired that the scheme enables to commit to group elements without knowing their discrete logarithms. In other words, the messages to be committed to should consist of vectors (M₁, . . . , M_(n))∈

^(n) of group elements, where

is a group over which a bilinear map e:

×

→

_(T) is efficiently computable. The commitment scheme should preferably also be designed so that the commitment string com has constant size, no matter how many group elements (M₁, . . . , M_(n)) are committed to at once. Finally, openings should preferably also consist of elements in

, which will make it possible to generate efficient non-interactive proofs (using the techniques of [J. Groth, A. Sahai. Efficient non-interactive proof systems for bilinear groups. In Eurocrypt'08, Lecture Notes in Computer Science, vol. 4965, pp. 415-432, 2008.]) that committed group elements satisfy certain properties. The present invention provides such a commitment scheme.

SUMMARY OF INVENTION

In a first aspect, the invention is directed to a method of generating a non-malleable cryptographic commitment. A processor of a device receives a vector, a public verification key of a homomorphic signature scheme associated with a space where signatures live, and a tag; chooses an element in the space where signatures live; generates a commitment using the vector, the public verification key, the tag and the element; and outputs the commitment. The commitment is generated by evaluating a linear function F used in a verification algorithm of the homomorphic signature scheme on the vector {right arrow over (m)}, the public verification key, the tag and the element σ.

In a first embodiment, the size of the commitment is independent of the size of the vector.

In a second embodiment, wherein the vector comprises elements of a group

over which a bilinear map

×

→

_(T) is efficiently computable.

In a third embodiment, the dimension of the vector is greater than or equal to 2.

In a fourth embodiment, the commitment allows to prove knowledge of an opening using zero-knowledge proof.

In a fifth embodiment, the commitment is generated as intermediate values resulting from the verification algorithm.

In a second aspect, the invention is directed to a device for generating a non-malleable cryptographic commitment. The device comprises at least one interface configured to: receive a vector, a public verification key of a homomorphic signature scheme associated with a space where signatures live, and a tag; and output a commitment. The device further comprises a processor configured to: choose an element in the space where signatures live; an generate the commitment using the vector, the public verification key, the tag and the element. The processor is configured to generate the commitment by evaluating a linear function F used in a verification algorithm of the homomorphic signature scheme on the vector {right arrow over (m)}, the public verification key, the tag and the element σ.

In a first embodiment, the size of the commitment is independent of the size of the vector.

In a second embodiment, wherein the vector comprises elements of a group

over which a bilinear map

×

→

_(T) is efficiently computable.

In a second embodiment, the dimension of the vector is greater than or equal to 2.

In a third embodiment, the commitment allows to prove knowledge of an opening using zero-knowledge proof.

In a fourth embodiment, the commitment is generated as intermediate values resulting from the verification algorithm.

In a third aspect, the invention is directed to a non-transitory computer program product storing instructions that, when executed by a processor, perform the method of any embodiment of the first aspect.

BRIEF DESCRIPTION OF DRAWINGS

Preferred features of the present invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which:

FIG. 1 illustrates a cryptographic device for generating commitments and a cryptographic device for verification of commitments according to a preferred embodiment of the invention; and

FIG. 2 illustrates a method for generating a commitment and for verifying the opening of a commitment according to a preferred embodiment of the invention.

DESCRIPTION OF EMBODIMENTS

A main idea of the present invention is based on that, under a certain mild condition, linearly homomorphic structure-preserving signatures imply length-reducing non-malleable structure-preserving commitments to vectors of group elements. As a result, the invention provides a length-reducing non-malleable structure-preserving trapdoor commitment. It will be noted that the scheme is not strictly structure-preserving (which is to say that the commitment string does not live in the same group as the message, according to the terminology of M. Abe, K. Haralambiev, M. Ohkubo. Group to Group Commitments Do Not Shrink. In Eurocrypt'12, Lecture Notes in Computer Science, vol. 7237, pp. 301-317, 2012.). Rather, the scheme is structure-preserving in the non-strict sense as the commitment string lives in

_(T) rather than

(but, as shown in the paper, strictly structure-preserving commitments cannot be length-reducing). Still, openings only consist of elements in

, which makes it possible to generate efficient non-interactive proofs that committed group elements satisfy certain properties.

The schemes of the present invention are obtained by first constructing simulation-sound trapdoor commitments (SSTC) to group elements (see J. Garay, P. MacKenzie, K. Yang Strengthening Zero-Knowledge Protocols Using Signatures. In Eurocrypt'03, Lecture Notes in Computer Science, vol. 2656, pp. 177-194, 2003 and P. MacKenzie, K. Yang. On Simulation-Sound Trapdoor Commitments. In Eurocrypt'04, Lecture Notes in Computer Science, vol. 3027, pp. 382-400, 2004).

SSTC schemes were first suggested in the paper by Garay, MacKenzie and Yang as a tool for constructing universally composable zero-knowledge proofs (see R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In FOCS'01, pp. 136-145, 2001.) MacKenzie and Yang subsequently gave a simplified security definition that suffices to provide non-malleability with respect to opening in the sense of the definition of re-usable non-malleable commitments (see I. Damgård, J. Groth. Non-interactive and reusable non-malleable commitment schemes. In STOC'03, pages 426-437, 2003.).

It is first noted that any constant-size linearly homomorphic structure-preserving signature necessarily complies with the following template.

Keygen(pp, n): given public parameters pp, which contain the description of groups (

,

_(T)) with a bilinear map, and the dimension n∈

of the subspace to be signed, choose constants n_(z), n_(v), m∈

. Of these, n_(z) and n_(v) determine the signature length while m is the number of equations in the verification algorithm. Then choose elements {F_(j,μ)}_(j∈{1, . . . , m}, μ∈{1, . . . , n) _(z) _(}), {G_(ji)}_(i∈{1, . . . , n}, j∈{1, . . . , m}) the group

. The public key is

pk=({F _(j,μ)}_(j∈{1, . . . ,m},μ∈{1, . . . ,n) _(z) },{G _(ji)}_(i∈{1, . . . ,n},j∈{1, . . . ,m}))

and the private key comprises information related to the representation of public key elements with regard to specific bases. Sign(sk, τ, (M₁, . . . , M_(n))): outputs a tuple

σ=(Z ₁ , . . . ,Z _(n) _(z) ,V ₁ , . . . ,V _(n) _(v) )∈

^(n) ^(z) ^(+n) ^(v) .

SignDerive(pk, τ, {(ω_(i), σ^((i)))}_(i=1) ^(l)): parses each signature σ^((i)) as (Z₁ ^((i)), . . . , Z_(n) _(z) ^((i)), V₁ ^((i)), . . . , V_(n) _(v) ^((i))) for i=1 to l and then computes

$Z_{\mu} = {\prod\limits_{i = 1}^{}Z_{\mu}^{{(i)}^{\omega_{i}}}}$ $V_{v} = {\prod\limits_{i = 1}^{}V_{v}^{{(i)}^{\omega_{i}}}}$ μ ∈ {1, …  , n_(z)}, v ∈ {1, …  , n_(v)}

and outputs, possibly after a re-randomization step, σ=(Z₁, . . . , Z_(n) _(z) , V₁, . . . , V_(n) _(v) ). Verify(pk, σ, τ, (M₁, . . . , M_(n))): given a signature σ=(Z₁, . . . , Z_(n) _(z) , V₁, . . . , V_(n) _(v) )∈

^(n) ^(z) ^(+n) ^(v) , a vector (M₁, . . . , M_(n)) and a tag τ, return 0 if (M₁, . . . , M_(n))=(

, . . . ,

).

Otherwise:

-   -   1. For each j∈{1, . . . , m} and v∈{1, . . . , n_(v)}, compute         one-to-one encodings T_(j,v)∈         of the tag τ as a group element. (It is possible to relax this         condition to have collision-resistant deterministic encodings.         Here, injectivity is assumed for simplicity.)     -   1. For j=1 to m, compute

${c_{j} = {\prod\limits_{\mu = 1}^{n_{z}}\; {{e\left( {F_{j,\mu},Z_{\mu}} \right)} \cdot {\prod\limits_{v = 1}^{n_{v}}\; {{e\left( {T_{j,v},V_{v}} \right)} \cdot}}}}}{\prod\limits_{i = 1}^{n}\; {e\left( {G_{j,i},M_{i}} \right)}}$

-   -   2. Return 1 if and only if c_(j)=         for each j∈{1, . . . , m}.

In the following description, a linearly homomorphic structure-preserving signature is ‘regular’ if, for each file identifier (i.e. ‘tag’), any non-trivial vector (M₁, . . . , M_(n))≠(

, . . . ,

) has a valid signature.

FIG. 1 illustrates a cryptographic device 100 for generating commitments and a cryptographic device 200 for verification of commitments according to a preferred embodiment of the invention. The devices 100, 200 each comprise at least one interface unit 110, 210 configured for communication, at least one processor (“processor”) 120, 220 and at least one memory 130, 230 configured for storing data, such as accumulators and intermediary calculation results. FIG. 1 also shows a first and a second computer program product (non-transitory storage medium) 140, 240 such as a CD-ROM or a DVD comprises stored instructions that, when executed by the processor 120, 220, respectively generate and verify a commitment according to the present invention.

Construction of Structure-Preserving Simulation-Sound Trapdoor Commitments

If Π^(SPS)=(Keygen, Sign, SignDerive, Verify) is a linearly homomorphic structure-preserving signature (SPS), then a structure-preserving simulation-sound trapdoor commitment (SSTC) may be constructed as follows:

SSTC.Setup(λ, n): given the desired dimension n∈

of committed vectors, choose public parameters pp for the linearly homomorphic SPS scheme. Then run Π^(SPS)·Keygen(pp, n) to obtain pk=({F_(j,μ)}_(j∈{1, . . . , m}, μ∈{1, . . . , n) _(z) _(}), {G_(ji)}_(i∈{1, . . . , n}, j∈{1, . . . , m})) for some constants n_(z), n_(v), m and a secret key sk. The commitment key is pk=pk and the trapdoor tk consists of sk. It is to be noted that the public key defines a signature space

^(n) ^(z) ^(+n) ^(v) for constants n_(z) and n_(v). SSTC.Com(pk, tag, (M₁, . . . , M_(n))): to commit to a vector (M₁, . . . , M_(n))∈

^(n) with respect to the tag tag=τ, choose

$\left( {Z_{1},\ldots \mspace{14mu},Z_{n_{z}},V_{1},\ldots \mspace{14mu},V_{n_{v}}} \right)\overset{R}{}^{n_{z} + n_{v}}$

in the signature space. Then run steps 1 and 2 of Verify(pk, σ, τ, (M₁, . . . , M_(n))), i.e. compute

${c_{j} = {\prod\limits_{\mu = 1}^{n_{z}}\; {{e\left( {F_{j,\mu},Z_{\mu}} \right)} \cdot {\prod\limits_{v = 1}^{n_{v}}\; {{e\left( {T_{j,v},V_{v}} \right)} \cdot}}}}}{\prod\limits_{i = 1}^{n}\; {e\left( {G_{j,i},M_{i}} \right)}}$ j ∈ {1, …  , m}

where {T_(j,v)}_(j,v) form an injective encoding of tag=τ as a set of group elements. The commitment string is given by com=(c₁, . . . , c_(m)) whereas the de-commitment consists of dec=(Z₁, . . . , Z_(n) _(z) , V₁, . . . , V_(n) _(v) ). SSTC.FakeCom(pk, tk, tag): proceeds like SSTC.Com with

${\left( {{\hat{M}}_{1},\ldots \mspace{14mu},{\hat{M}}_{n}} \right)\overset{R}{}^{n}}.$

If (

,

) denotes the resulting pair, the algorithm ouputs

=

and aux, which consists of the pair aux=(({circumflex over (M)}₁, . . . , {circumflex over (M)}_(n)),

) for tag=τ. SSTC.FakeOpen(aux, tk, tag,

, (M₁, . . . , M_(n))): parses

as ({tilde over (c)}₁, . . . , {tilde over (c)}_(m)) and aux as (({circumflex over (M)}₁, . . . , {circumflex over (M)}_(n)), ({circumflex over (Z)}₁, . . . , {circumflex over (Z)}_(n) _(z) , {circumflex over (V)}₁, . . . , {circumflex over (V)}_(n) _(v) )). It first generates a linearly homomorphic signature on (M₁/{circumflex over (M)}₁, . . . , M_(n)/{circumflex over (M)}_(n)) for the tag=τ. Namely, using the trapdoor tk=sk, compute

σ′=(Z′ ₁ , . . . ,Z′ _(n) _(z) ,V′ ₁ , . . . ,V′ _(n) _(z) )←Π^(SPS)·Sign(sk,τ,(M ₁ /{circumflex over (M)} ₁ , . . . ,M _(n) /{circumflex over (M)} _(n))).

Since σ′ is a valid signature and aux=(({circumflex over (M)}₁, . . . , {circumflex over (M)}_(n)),({circumflex over (Z)}₁, . . . , {circumflex over (Z)}_(n) _(z) , {circumflex over (V)}₁, . . . , {circumflex over (V)}_(n) _(v) )) satisfies

${\overset{\sim}{c}}_{j} = {\prod\limits_{\mu = 1}^{n_{z}}{{e\left( {F_{j,\mu},{\hat{Z}}_{\mu}} \right)} \cdot {\prod\limits_{v = 1}^{n_{v}}{{e\left( {T_{j,v},{\hat{V}}_{v}} \right)} \cdot {\prod\limits_{i = 1}^{n}{e\left( {G_{j,i},{\hat{M}}_{i}} \right)}}}}}}$ j ∈ {1, …  , m}

the fake opening algorithm can run

({tilde over (Z)} ₁ , . . . ,{tilde over (Z)} _(n) _(z) ,{tilde over (V)} ₁ , . . . ,{tilde over (V)} _(n) _(v) )←Sign·Derive(pk,τ,{(1,σ′),(1,{circumflex over (σ)})}),

where {circumflex over (σ)}=({circumflex over (Z)}₁, . . . , {circumflex over (Z)}_(n) _(z) , {circumflex over (V)}₁, . . . , {circumflex over (V)}_(n) _(v) ). By construction,

=({tilde over (Z)}₁, . . . , {tilde over (Z)}_(n) _(z) , {tilde over (V)}₁, . . . , {tilde over (V)}_(n) _(v) ) is a valid de-commitment to the vector (M₁, . . . , M_(n)) with respect to tag=τ. SSTC.Verify(pk, tag, (M₁, . . . , M_(n)), com, dec): parses the commitment as (c₁, . . . , c_(m))∈

_(T) ^(m) and the opening dec as (Z₁, . . . , Z_(n) _(z) , V₁, . . . , V_(n) _(v) )∈

^(n) ^(z) ^(+n) ^(v) . If these do not parse properly, it returns 0. Then it computes a one-to-one encoding {T_(j,v)}_(j,v) of tag=τ. Return 1 if

$c_{j} = {\prod\limits_{\mu = 1}^{n_{z}}{{e\left( {F_{j,\mu},Z_{\mu}} \right)} \cdot {\prod\limits_{v = 1}^{n_{v}}{{e\left( {T_{j,v},V_{v}} \right)} \cdot {\prod\limits_{i = 1}^{n}{e\left( {G_{j,i},M_{i}} \right)}}}}}}$ j ∈ {1, …  , m}

holds and 0 otherwise. SSTC from Linearly Homomorphic Signatures

This section provides a generalization of the previous structure-preserving construction. The goal is to construct simulation-sound (thus non-malleable) commitments to vectors from linearly homomorphic signatures. It is to be noted that the prior art schemes for constructing SSTCs do not directly allow committing to vectors while preserving the feasibility of efficiently proving knowledge of the committed vector. The method is illustrated in FIG. 2.

Let Π=(Keygen, Sign, SignDerive, Verify) is a linearly homomorphic signature over

_(p) ^(n) for some large prime p>2^(λ). It is assumed that Π uses groups

₁ and

₂ of public orders p^(k) and p, respectively, for some k∈

. It is also assumed that each signature σ lives in

₁. The verification algorithm takes as input a purported signature σ∈

₁, a file identifier τ and a vector {right arrow over (m)}. It returns 1 if and only if F(σ,{right arrow over (m)},pk,τ)=

, where F is a function ranging over the group

₂ and satisfying certain linearity properties. Namely, for each pk produced by Keygen and each τ, it is required that F(σ₁·σ₂,{right arrow over (m)}₁+{right arrow over (m)}₂,pk,τ)=F(σ₁,{right arrow over (m)}₁,pk,τ)·F(σ₂,{right arrow over (m)}₂,pk,τ) for any vectors {right arrow over (m)}₁,{right arrow over (m)}₂∈

_(p) ^(n) and any σ₁,σ₂∈

₁. As a consequence F(σ,{right arrow over (m)},pk,τ)^(ω)=F(σ^(ω),ω·{right arrow over (m)},pk,τ) for any ω∈

_(p) and any σ∈

₁.

It is to be noted that this template only captures schemes in groups of public order, so that constructions based on the Strong RSA assumption are not covered. The reason is that, when working over the integers, messages and signature components may increase at each homomorphic operation, which makes it harder to render fake openings indistinguishable from original de-commitments.

SSTC.Setup(λ, n): given the desired dimension n∈

of committed vectors, choose public parameters pp for the linearly homomorphic signature. Then run key generation algorithm Π^(SPS)·Keygen(pp,n) to obtain a public key pk and a private key sk. The commitment key is pk=pk and the trapdoor tk consists of sk. SSTC.Com(pk, tag, {right arrow over (m)}): to commit to a vector {right arrow over (m)}∈

_(p) ^(n) with respect to the tag, choose S1 an element

σ   R  1

in the signature space. Compute S2 and output S3 c=F (σ, {right arrow over (m)}, pk, tag) by evaluating F as the left-hand member of the verification equation F(σ, {right arrow over (m)}, pk, z)=

. The commitment string is com=c whereas the de-commitment is dec=σ. SSTC.FakeCom(pk, tk, tag): proceeds like SSTC.Com but using a randomly chosen vector

m  fake   R  p n .

If (

,

) denotes the resulting commitment/decommitment pair, the algorithm sets

=

and aux=({right arrow over (m)}_(fake),

). SSTC.FakeOpen(aux, tk, tag,

, {right arrow over (m)}): parses

as {tilde over (c)}∈

₂ and aux as ({right arrow over (m)}_(fake),

), where

={circumflex over (σ)}∈

₁. It first generates a linearly homomorphic signature on the coordinate-wise difference {right arrow over (m)}−{right arrow over (m)}_(fake)∈

_(p) ^(n) for the tag=τ. Namely, using the trapdoor tk=sk, it computes σ′←Π·Sign(sk, τ, {right arrow over (m)}−{right arrow over (m)}_(fake)). Finally, it computes {tilde over (σ)}={circumflex over (σ)}·σ′∈

₁ and returns

={tilde over (σ)}. SSTC.Verify(pk, tag, {right arrow over (m)}, com, dec): parses S4 the commitment com as c∈

₂ and the opening dec as σ∈

₁. If these do not parse properly, it returns S5 0. Otherwise, it returns S6 1 if c=F(σ,{right arrow over (m)},pk,tag) and 0 otherwise.

The linearly homomorphic scheme of Attrapadung et al. (see N. Attrapadung, B. Libert, T. Peters. Computing on Authenticated Data: New Privacy Definitions and Constructions. In Asiacrypt'12, in Lecture Notes in Computer Science vol. 7658, pp. 367-385, 2012.) can be seen as a specific instantiation of the template where the group

₁ is a product

₁=

²×

_(p), which is a group for the operation (·, ·, +), and

₂=

_(T). In the scheme,

₁ and

₂ thus have order p³ and p, respectively. As for the linear function F, it can be instantiated as

F((σ₁,σ₂ ,s),{right arrow over (m)},pk,τ):=e(σ₁ ,g ⁻¹)·e(

(τ),σ₂)·e(g ₁ ^(m) ¹ . . . g _(n) ^(m) ^(n) ·v ^(s) ,g ^(a))

As a result, a new non-interactive simulation-sound trapdoor commitment to vectors based on the Computational Diffie-Hellman (CDH) assumption is obtained.

It is noted that this scheme can be optimized by removing the terms v^(s) and s so as to have (σ₁,σ₂)=((Π_(i=1) ^(n)g_(i) ^(m) ^(i) )^(α)·

(τ)^(r),g^(r)) and

F((σ₁,σ₂),{right arrow over (m)},pk,τ):=e(σ₁ ,g ⁻¹)·e(

(τ),σ₂)·e(g _(n) ^(m) ¹ . . . g _(n) ^(m) ^(n) ,g ^(α))

Indeed, although the terms (v^(s),s)∈

×

_(p) are necessary in the underlying signature scheme, they can be eliminated in the resulting commitment.

The optimization gives rise to the following SSTC scheme which relies on the CDH assumption and which allows committing to vectors. It is to be noted that the prior art non-malleable commitments based on the CDH assumption were—implicitly or explicitly—described in two papers but it was not clear how to extend them to commit to vectors in a modular way (see Y. Dodis, V. Shoup, S. Walfish. Efficient Constructions of Composable Commitments and Zero-Knowledge Proofs. In Crypto'08, Lecture Notes in Computer Science, vol. 5157, pp. 21-38, 2008. and R. Nishimaki, E. Fujisaki, K. Tanaka. A Multi-trapdoor Commitment Scheme from the RSA Assumption. In ACISP 2010, Lecture Notes in Computer Science, vol. 6168, pp. 182-199, 2010.)

SSTC.Setup(λ, n): given the desired dimension n∈

of committed vectors, choose bilinear groups (

,

_(T)) of prime order p>2^(λ). Choose

α   R  p , g   R 

and u₀, . . . ,

$u_{L}\overset{R}{}$

for some L∈poly(λ). These elements u₀, . . . , u_(L)∈

^(L+1) are used to implement a number-theoretic hash function

:{0,1}^(L)>

such that any L-bit string τ=τ[1] . . . τ[L]∈{0,1}^(L) is mapped to the hash value

(τ)=u₀·Π_(i=1) ^(L)u_(i) ^(τ[i]). Then

$g_{i}\overset{R}{}$

are chosen for i=1 to n and the identifier space

:={0,1}^(L) is defined. The trapdoor is tk=α and the public key consists of pk=((

,

_(T)),g,g^(α),{g_(i)}_(i=1) ^(n),{u_(i)}_(i=0) ^(L)). SSTC.Com(pk, tag, {right arrow over (m)}): to commit to a vector {right arrow over (m)}=(m₁, . . . m_(n))∈

_(p) ^(n) with respect to the tag, choose elements σ₁,

$\sigma_{2}\overset{R}{}$

in the signature space and compute

c=e(g ₁ ^(m) ¹ . . . g _(n) ^(m) ^(n) ,g ^(α))·e(g ⁻¹,σ₁)·e(

(tag),σ₂).

Return the commitment string com=c∈

_(T) and the de-commitment dec=(σ₁,σ₂)∈

².

SSTC.FakeCom(pk, tk, tag): proceeds like SSTC.Com but using a randomly chosen vector

m  fake   R  p n .

If (

,

) denotes the resulting commitment/decommitment pair, the algorithm sets

=

and aux=({right arrow over (m)}_(fake),

). SSTC.FakeOpen(aux, tk, tag,

, {right arrow over (m)}): parses

as {tilde over (c)}∈

_(T) and aux as ({right arrow over (m)}_(fake),

), where

=(σ₁, σ₂)∈

². It first generates a linearly homomorphic signature (σ′_(l), σ′₂)∈

² on the difference (m₁′, . . . , m_(n)′)={right arrow over (m)}−{right arrow over (m)}_(fake)∈

_(p) ^(n) for the tag tag. Namely, using tk=α, it computes σ′₁=(g₁ ^(m′) ¹ . . . g_(n) ^(m′) ^(n) )^(α)·

(tag)^(r) and σ′₂=g^(r) which satisfies

=e(g ₁ ^(m′) ¹ . . . g _(n) ^(m′) ^(n) ,g ^(α))·e(g ⁻¹,σ′₁)·e(

(tag),σ′₂).

Finally, it computes ({tilde over (σ)}₁,{tilde over (σ)}₂)=({circumflex over (σ)}₁·σ′₁,{circumflex over (σ)}₂·σ′₂)∈

² and returns

=({tilde over (σ)}₁,{tilde over (σ)}₂). SSTC.Verify(pk, tag, {right arrow over (m)}, com, dec): parses the commitment com as c∈

_(T) and the opening dec as (σ₁, σ₂)∈

². If these do not parse properly, it returns 0. Otherwise, it returns 1 if (σ₁, σ₂) satisfies c=e(g₁ ^(m) ¹ . . . g_(n) ^(m) ^(n) ,g^(α))·e(g⁻¹,σ₁)·e(H

(tag),σ₂) and 0 otherwise. Before the presentation of a further SSTC scheme, there follows a description of its underlying linearly homomorphic structure-preserving signature scheme. Keygen(pp, n): given a security parameter and the dimension n∈

of the subspace to be signed, choose bilinear groups (

,

_(T)) of prime order p>2^(λ) perform the following steps:

-   -   1. Choose

$h\overset{R}{}$

and α_(z), α_(r),

β z   R  p .

Define g_(z)=h^(α) ^(z) , g_(r)=h^(α) ^(r) and h_(z)=h^(β) ^(z) .

-   -   2. For each i∈{1, . . . , n}, pick χ_(i), γ_(i),

δ i   R  p

and compute g_(i)=g_(z) ^(χi)g_(r) ^(γi), h_(i)=h_(z) ^(χi)h^(δ) ^(i) .

-   -   3. Choose a random vector

w _ = ( w 0 , w 1 , …  , w L )  ← R  L + 1

that defines a hash function

: {0,1}^(L)→

which maps τ=τ[1] . . . τ[L]∈{0,1}^(L) to

(τ)=w₀·Π_(k=1) ^(L)w_(k) ^(τ[k]).

-   -    The public key consists of

pk=(g _(z) ,g _(r) ,h _(z) ,h,{g _(i) ,h _(i)}_(i=1) ^(n) , w )∈

^(2n+4)×

^(L+1)

while the private key is sk=(h_(z) ^(α) ^(r) ,{χ_(i),γ_(i),δ_(i)}_(i=1) ^(n)). Sign(sk, τ, (M₁, . . . , M_(n))): to sign a vector (M₁, . . . , M_(n))∈

^(n) with regard to the file identifier τ using sk=(h_(z) ^(α) ^(r) ,{χ_(i),γ_(i),δ_(i)}_(i=1) ^(n)), choose θ,

ρ  ← R  p

and compute

${z = {g_{r}^{\theta} \cdot {\prod\limits_{i = 1}^{n}M_{i}^{- \chi_{i}}}}},{r = {g_{z}^{- \theta} \cdot {\prod\limits_{i = 1}^{n}M_{i}^{- \gamma_{i}}}}},{u = {\left( h_{z}^{\alpha_{r}} \right)^{- \theta} \cdot {\prod\limits_{i = 1}^{n}{{M_{i}^{- \delta_{i}} \cdot}(\tau)^{- \rho}}}}},{v = h^{\rho}}$

The signature comprises σ=(z, r, u, v)∈

⁴.

SignDerive(pk, τ, {(ω_(i)σ^((i)))}_(i=1) ^(l)): given pk, a file identifier τ and l tuples (ω_(i), σ^((i))), parse each signature σ^((i)) as σ^((i))=(z_(i),r_(i),u_(i),v_(i))∈

⁴ for i=1 to l. Then choose

ρ ′  ← R  p

and compute

$z = {\prod\limits_{i = 1}^{l}z_{i}^{\omega_{i}}}$ $r = {\prod\limits_{i = 1}^{l}r_{i}^{\omega_{i}}}$ $u = {\prod\limits_{i = 1}^{l}{u_{i}^{\omega_{i}} \cdot {H_{}(\tau)}^{- \rho^{\prime}}}}$ $v = {\prod\limits_{i = 1}^{l}{{v_{i}^{\omega_{i}} \cdot h}\; \rho^{\prime}}}$

and return σ=(z, r, u, v). Verify(pk, σ, τ, (M₁, . . . , M_(n))): given a signature σ=(z,r,u,v)∈

⁴, a file identifier τ and a vector (M₁, . . . , M_(n)), return 1 if and only if (M₁, . . . , M_(n))≠(

, . . . ,

) and (z, r, u, v) satisfy the equalities

${= {{e\left( {g_{z},z} \right)} \cdot {e\left( {g_{r},r} \right)} \cdot {\prod\limits_{i = 1}^{n}{e\left( {g_{i},M_{i}} \right)}}}},{= {{e\left( {h_{z},z} \right)} \cdot {e\left( {h,u} \right)} \cdot {e\left( {{(\tau)},v} \right)} \cdot {\prod\limits_{i = 1}^{n}{{e\left( {h_{i},M_{i}} \right)}.}}}}$

SSTC from Linearly Homomorphic Structure-Preserving Signatures

A particularly advantageous embodiment is obtained by applying the Construction of Structure-Preserving Simulation-Sound Trapdoor Commitments to the linearly homomorphic signature described hereinafter.

Like the underlying homomorphic signature, the security of the resulting SSTC (which is structure-preserving) relies on the hardness of the Simultaneous Double Pairing (SDP) problem.

SSTC.Setup(λ, n): given the desired dimension n∈

of committed vectors, choose bilinear groups (

,

_(T)) of prime order p>2^(λ). Then:

-   -   1. Choose

$h\overset{R}{\leftarrow}$

and α_(z), α_(r)

β z  ← R  p .

-   -   2. Define g_(z)=h^(α) ^(z) , g_(r)=h^(α) ^(r) and h_(z)=h^(β)         ^(z) .     -   3. For each i∈{1, . . . , n}, pick χ_(i), γ_(i)

δ i  ← R  p

and compute g_(i)=g_(z) ^(χi)'g_(r) ^(γi), h_(i)=h_(z) ^(χi)h^(δi).

-   -   4. Choose a random vector

w _ = ( w 0 , …  , w L )  ← R  L + 1

that defines a hash function

: {0,1}^(L)→

which maps τ=τ[1] . . . τ[L]∈{0,1}^(L) to

(τ)=w₀·Π_(k=1) ^(L)w_(k) ^(τ[k]). The public key consists of

pk=(g _(z) ,g _(r) ,h _(z) ,h,{g _(i) ,h _(i)}_(i=1) ^(n) , w )∈

^(2n+4)×

^(L+1)

while the trapdoor is tk=(h_(z) ^(α) ^(r) ,{χ_(i),γ_(i),δ_(i)}_(i=1) ^(n)). SSTC.Com(pk, tag, (M₁, . . . , M_(n))): to commit to a vector (M₁, . . . , M_(n))∈

^(n), choose z, r, u,

$v\overset{R}{\leftarrow}{\mspace{14mu} {and}\mspace{14mu} {compute}}$ c 1 = e  ( g z , z ) · e  ( g r , r ) · ∏ i = 1 n  e  ( g i , M i ) ,  c 2 = e  ( h z , z ) · e  ( h , u ) · e  (  ( tag ) , v ) · ∏ i = 1 n  e  ( h i , M i ) .  Then   return   com = ( c 1 , c 2 ) ∈ T 2   and   dec = ( z , r , u , v ) ∈ 4 .

SSTC.FakeCom(pk, tk, tag): choose {circumflex over (M)}₁, . . . ,

${\hat{M}}_{n}\overset{R}{\leftarrow}$

and z, r, u,

$v\overset{R}{\leftarrow}$

and compute

c 1 = e  ( g z , z ) · e  ( g r  , r ) · ∏ i = 1 n  e  ( g i , M ^ i ) ,  c 2 = e  ( h z , z ) · e  ( h , u ) · e  (  ( tag ) , v ) · ∏ i = 1 n  e  ( h i , M ^ i ) .  Then   return   com = ( c 1 , c 2 ) ∈ T 2   and aux = ((M̂₁, …  , M̂_(n)), z, r, u, v).

SSTC.FakeOpen (aux, tk, tag,

, (M₁, . . . , M_(n))): generate a linearly homomorphic signature (z′, r′, u′, v′) on the vector (M₁/{circumflex over (M)}₁, . . . , M_(n)/{circumflex over (M)}_(n)) using the underlying linearly homomorphic SPS described hereinafter. Then compute ({tilde over (z)}, {tilde over (r)}, ũ, {tilde over (v)})=(z·z′, r·r′, u·u′, v·v′). Return dec=({tilde over (z)}, {tilde over (r)}, ũ, {tilde over (v)}), which satisfies

${c_{1} = {{e\left( {g_{z},\overset{\sim}{z}} \right)} \cdot {e\left( {g_{r},\overset{\sim}{r}} \right)} \cdot {\prod\limits_{i = 1}^{n}{e\left( {g_{i},M_{i}} \right)}}}},{c_{2} = {{e\left( {h_{z},\overset{\sim}{z}} \right)} \cdot {e\left( {h,\overset{\sim}{u}} \right)} \cdot {e\left( {{({tag})},\overset{\sim}{v}} \right)} \cdot {\prod\limits_{i = 1}^{n}{{e\left( {h_{i},M_{i}} \right)}.}}}}$

SSTC.Verify(pk, tag, (M₁, . . . , M_(n)), com, dec): parses the commitment com as (c₁, c₂)∈

_(T) ² and the opening dec as (z,r,u,v)∈

⁴. If these do not parse properly, it returns 0. Otherwise, it returns 1 if (z, r, u, v)

${c_{1} = {{e\left( {g_{z},z} \right)} \cdot {e\left( {g_{r},r} \right)} \cdot {\prod\limits_{\; {i = 1}}^{n}{e\left( {g_{i},M_{i}} \right)}}}},{c_{2} = {{e\left( {h_{z},z} \right)} \cdot {e\left( {h,u} \right)} \cdot {e\left( {{({tag})},v} \right)} \cdot {\prod\limits_{i = 1}^{n}{{e\left( {h_{i},M_{i}} \right)}.}}}}$

and 0 otherwise.

The skilled person will appreciate that the schemes of the present invention, which works on vectors, also works on scalars (for which the dimension n equals 1). Thus, the dimension n can be any positive integer: 1, 2, 3 . . . .

It will be appreciated that the schemes of the present invention can provide a commitment scheme with the desired features.

Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa. Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims. 

1. A method of generating a non-malleable cryptographic commitment, the method comprising the steps in a processor of a device, of: receiving a vector {right arrow over (m)}, a public verification key of a homomorphic signature scheme associated with a space where signatures live, and a tag; choosing an element σ in the space where signatures live; generating a commitment c using the vector {right arrow over (m)}, the public verification key, the tag and the element σ; and outputting the commitment c; wherein the commitment c is generated by evaluating a linear function F used in a verification algorithm of the homomorphic signature scheme on the vector {right arrow over (m)}, the public verification key, the tag and the element σ.
 2. The method of claim 1, wherein the size of the commitment c is independent of the size of the vector {right arrow over (m)}.
 3. The method of claim 1, wherein the vector {right arrow over (m)} comprises elements of a group

over which a bilinear map

×

×

, is efficiently computable.
 4. The method of claim 1, wherein the dimension of the vector {right arrow over (m)} is greater than or equal to
 2. 5. The method of claim 1, wherein the commitment c allows to prove knowledge of an opening using zero-knowledge proof.
 6. The method of claim 1, wherein the commitment c is generated as intermediate values resulting from the verification algorithm.
 7. A device for generating a non-malleable cryptographic commitment, the device comprising: at least one interface configured to: receive a vector {right arrow over (m)}, a public verification key of a homomorphic signature scheme associated with a space where signatures live, and a tag; and output a commitment c; and a processor configured to: choose an element σ in the space where signatures live; and generate the commitment c using the vector {right arrow over (m)}, the public verification key, the tag and the element σ; wherein the processor is configured to generate the commitment c by evaluating a linear function Fused in a verification algorithm of the homomorphic signature scheme on the vector {right arrow over (m)}, the public verification key, the tag and the element σ.
 8. The device of claim 7, wherein the size of the commitment c is independent of the size of the vector {right arrow over (m)}.
 9. The device of claim 7, wherein the vector {right arrow over (m)}comprises elements of a group

over which a bilinear map

×

→

, is efficiently computable.
 10. The device of claim 7, wherein the dimension of the vector {right arrow over (m)} is greater than or equal to
 2. 11. The device of claim 7, wherein the commitment c allows to prove knowledge of an opening using zero-knowledge proof.
 12. The device of claim 7, wherein the commitment c is generated as intermediate values resulting from the verification algorithm.
 13. A non-transitory computer program product storing instructions that, when executed by a processor, perform the method of claim
 1. 